The Department of Energy (DoE) remains vulnerable to cyber threats directed towards its critical systems and applications, including those in its nuclear security office, after failing to mitigate all known vulnerabilities identified in 2016 by the department’s Inspector General (IG) office.

new IG report, released the week of Oct. 8, finds DoE has yet to address 3 of the 16 cyber vulnerabilities it cited in its 2016 evaluation of the department, including an ineffective vulnerability management program, lagging system integrity for its web applications and weak access controls.

“Without improvements to its cyber security program in areas such as enhanced controls over vulnerability management and access controls, the Department’s systems and information may be at a higher-than-necessary risk of compromise, loss, and/or modification,” the IG wrote in its report. “Furthermore, without improvements to ensure that the most current federal security requirements are implemented, programs and sites may not keep pace with the challenges facing an ever-changing cyber security landscape.”

DoE remains vulnerable to advanced persistent threats targeted towards its systems, and faced 18,000 potential incidents in fiscal year 2017 stemming from malicious code, information compromise attempts and unauthorized use of applications. Most attacks were aimed at stealing department information, denying access to systems or degrading information systems, according to the report.

The IG is tasked with conducting independent evaluations of federal departments’ ability to protect its data, and in its fiscal year 2016 report on DoE found 16 critical weaknesses.

Over the last year, department officials mitigated 13 of those weaknesses as well as reduced the number of vulnerability management findings from nine to five.

“While these actions were positive, our current evaluation found that the types of weaknesses identified in prior years, including issues related to vulnerability management, system integrity of Web applications, and access controls continue to exist,” the IG wrote.

Several DOE sites have continued using software with missing security patches, and the IG found workstations and servers with no anti-virus software installed to protect information systems.

Department programs are still using Inadequate vulnerability management systems first identified in the IG’s fiscal year 2015 and 2016 evaluations. Certain applications were unable to prevent malicious input data, and other sites had yet to implement corrective action plans to update flaws in system integrity.

“At one site, we found approximately 480 commercial off-the-shelf products missing patches for vulnerabilities rated as critical or high risk, including one device that could have allowed an authenticated attacker to bypass security controls and access higher privileged functions that are normally restricted to administrative users.” said the report, which also found active user accounts in three locations for those no longer with the department.

In an Oct. 4 letter to Acting Inspector General April Stephenson included in the report, DoE Chief Information Officer Stephen “Max” Everett acknowledged that the department has taken steps to mitigate its cyber vulnerabilities but has yet to reach an acceptable level.

“The deficiencies identified from the IG assessment include ongoing issues that have been noted in prior years, including issues related to vulnerability management, system integrity of Web applications, access controls and segregation of duties, and management of Plans of Actions and Milestones,” said Everett. “These known areas of weakness will continue to be addressed at all organizational levels to ensure that our information assets and systems are adequately protected from harm.”